US20110317678A1 - Extended Private LAN - Google Patents

Extended Private LAN Download PDF

Info

Publication number
US20110317678A1
US20110317678A1 US13/226,601 US201113226601A US2011317678A1 US 20110317678 A1 US20110317678 A1 US 20110317678A1 US 201113226601 A US201113226601 A US 201113226601A US 2011317678 A1 US2011317678 A1 US 2011317678A1
Authority
US
United States
Prior art keywords
node
network
plsb
sid
virtual
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/226,601
Inventor
David Allan
Liam Casey
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nortel Networks Ltd
RPX Clearinghouse LLC
Original Assignee
Nortel Networks Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nortel Networks Ltd filed Critical Nortel Networks Ltd
Priority to US13/226,601 priority Critical patent/US20110317678A1/en
Publication of US20110317678A1 publication Critical patent/US20110317678A1/en
Assigned to ROCKSTAR CONSORTIUM US LP reassignment ROCKSTAR CONSORTIUM US LP ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: Rockstar Bidco, LP
Assigned to RPX CLEARINGHOUSE LLC reassignment RPX CLEARINGHOUSE LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BOCKSTAR TECHNOLOGIES LLC, CONSTELLATION TECHNOLOGIES LLC, MOBILESTAR TECHNOLOGIES LLC, NETSTAR TECHNOLOGIES LLC, ROCKSTAR CONSORTIUM LLC, ROCKSTAR CONSORTIUM US LP
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4645Details on frame tagging
    • H04L12/465Details on frame tagging wherein a single frame includes a plurality of VLAN tags
    • H04L12/4662Details on frame tagging wherein a single frame includes a plurality of VLAN tags wherein a VLAN tag represents a service instance, e.g. I-SID in PBB

Definitions

  • This invention relates to providing a virtual private network across a provider network.
  • VPN Virtual Private Networking
  • existing VPN technologies are primarily aimed at the enterprise sector, and connect sites of an enterprise. In addition they may allow home workers to access the network of their employer from their home office, or allow “road warriors” to access the network of their employer while travelling.
  • a VPN can be established at networking Layer 2 or Layer 3.
  • VPLS Virtual Private LAN Service
  • IETF Internet Engineering Task Force
  • RRCs Requests for Comments
  • IETF Internet Engineering Task Force
  • IETF Internet Engineering Task Force
  • RRCs Requests for Comments
  • numbers 4664, 4761 and 4762 4664, 4761 and 4762.
  • This provides Ethernet multipoint-to-multipoint communication over IP/MPLS networks. Geographically dispersed sites share the same Ethernet broadcast domain and traffic between the sites is carried by a full mesh topology of “pseudo-wires” between the sites.
  • One of the difficulties of VPLS is that when a new end point connects to the network, there is a discovery process to discover all the other end points associated with the Virtual Private LAN service, followed by signalling to set up a mesh of service-specific pseudo-wires to serve the new end point. This can take some time to achieve, will have intermediate states where only partial connectivity is available, and will generate a significant amount of telemetry due to the inefficiency of utilizing an N-squared mesh.
  • RADIUS Remote Authentication Dial In User Service
  • a Customer Edge (CE) request to join a VPN is granted, the provider network node that it is connected to, the Provider Edge (PE) learns the identifier of the Customer Edge (CE) VPN and IP addresses of the VPN's PEs. This still requires the new PE to establish an L2TP Control Connection with each of the other PEs of the VPN. While having some desirable characteristics for the desired service model, this approach focused primarily on discovery of endpoints via a central registration authority.
  • VPN technologies are primarily aimed at the enterprise sector, and are typically considered too difficult, or inflexible, to be applied at a residential scale or with fulfillment times that render them undesirable for roaming users.
  • Some specialist applications exist for allowing a user to remotely access a device or application on a home network, while away from their home.
  • One example is described in WO 2005/122025 A2 (Sling Media).
  • a personal media broadcasting system allows video distribution from a media source in the home to a media player at a remote location over a computer network and allows a user to view and control the media source in the home over the computer network.
  • These specialist applications typically require bespoke software on a device in the home network and on the roaming device, and require configuration of the home network's firewall to allow the application to communicate with the roaming device.
  • These applications typically interface directly with Layer 3, with traffic being carried over the Internet.
  • the present invention seeks to provide an alternative way of providing a Virtual Private Network across a provider network.
  • a Provider Link State Bridging (PLSB) network provides an instance of a virtual private Ethernet switching service between a private LAN attached to a first node of the PLSB network and at least one roaming device attached to a respective second node of the PLSB network.
  • the PLSB network comprises a control plane and a data plane. Data packets in the PLSB network carry I-SID identifiers to differentiate traffic of different network users.
  • a virtual bridging function is provided at the first node.
  • a first I-SID identifier is allocated to traffic of the virtual private Ethernet switching service instance in the PLSB network.
  • a PLSB path labeled by the first I-SID is established between the virtual bridging function and each respective second node.
  • the roaming device is authenticated for access to the virtual private Ethernet switching service.
  • a successful authentication returns the first I-SID to the second node.
  • the first I-SID is added to a list of I-SIDs to be advertised into the PLSB network by the second node.
  • the first I-SID identifier is advertised into the PLSB network by the virtual bridging function and the second node.
  • the advertising is via the control plane of the PLSB network.
  • a PLSB path is established by the PLSB control plane in response to the advertising.
  • the roaming device is bound to a PLSB UNI interface at the second node using the first I-SID. Traffic is bridged at the virtual bridging function between the private LAN and the PLSB path to each second node.
  • a virtual private Ethernet switching service can also be considered as an Ethernet virtual private network (VPN) service which connects devices on the private LAN to the roaming device, or devices. Effectively, this creates an Extended Private LAN.
  • VPN Ethernet virtual private network
  • Roaming devices are authenticated before joining the instance of the virtual private network service.
  • PLSB Provider Link State Bridging
  • One advantage is that connectivity between members of a particular VPN is maintained as part of the PLSB Link State process for forwarding table maintenance, and does not require any form of explicit signalling or additional endpoint discovery procedures. This can allow a large number of VPNs to be formed at any time, such as providing a VPN for each private premises. It can also allow newly authenticated roaming devices to be added to a VPN on demand, in real-time, or near-real time, even across large provider networks and in situations where a roaming device connects to a network access point which that device has not used before.
  • PLSB provides for a number of embodiments of VPN connectivity.
  • the simplest and most scalable is to provide a single virtual bridging function for each virtual private network instance, and to locate the virtual bridging function at the first node of the PLSB network.
  • the virtual bridging function serves as a hub and each PLSB path to a respective second node is a point-to-point connection or ‘spoke’.
  • Each VPN instance therefore has a simple hub-and-spoke topology. This can significantly help to scale the number of supported VPNs.
  • End-to-end Layer 2 (Ethernet) connectivity is particularly advantageous as it allows Ethernet “plug and play” behaviour between devices on the private LAN and any roaming device.
  • the Layer 2 connectivity between the roaming device and the devices connected to the private LAN allow the devices to discover one another by broadcasting conventional messages over the virtual private network, without requiring complex protocols or assistance from other network entities.
  • the functionality described here can be implemented in software, hardware or a combination of these.
  • the invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. Accordingly, another aspect of the invention provides software for performing any of the steps of the method.
  • the software comprises instructions which, when executed by a processor, cause the processor to perform the described method.
  • the software may be tangibly embodied on an electronic memory device, hard disk, optical disk or any other machine-readable storage medium.
  • the software may be delivered as a computer program product on a machine-readable carrier or it may be downloaded to a node of the network via a network connection.
  • FIG. 1 shows an embodiment of an Extended Private LAN, being the extension of a residential LAN across a provider network to include two roaming devices;
  • FIG. 2 shows the functionality associated with the Hub Aggregation Gateway (HAG) of FIG. 1 ;
  • HOG Hub Aggregation Gateway
  • FIG. 3 shows the functionality associated with the Visited Aggregation Gateway (VAG) of FIG. 1 ;
  • FIG. 4 shows a process of authenticating one roaming device to join an Extended Private LAN
  • FIGS. 5 and 6 show an example of a provider network supporting PLSB which can used in FIG. 1 ;
  • FIG. 7 shows the format of a MAC-in-MAC frame used across the provider network.
  • FIG. 8 shows the location of a Service Identifier (I-SID) within the MAC-in-MAC frame of FIG. 7 .
  • I-SID Service Identifier
  • FIG. 1 shows a provider network 1 in accordance with an embodiment of the invention.
  • the provider network 1 comprises a core network 40 and attachment networks 42 , 44 , 46 .
  • a communications subscriber has a private LAN network 10 at a premises 14 , such as a home, office or other site.
  • the private LAN network 10 comprises a wired or wireless Ethernet-based distribution network which connects devices 15 .
  • Devices 15 can include: a communication device; a server which stores music, video, digital images or any other form of media content; a broadcast receiver; a Personal Video Recorder (PVR); a printer; a home appliance; a security system; a home environment control system (e.g. controlling lighting, heating etc.) or any other device which is capable of being connected to the network.
  • PVR Personal Video Recorder
  • an Extended Private LAN service is provided which has the effect of extending the private LAN 10 across the provider network 1 to roaming devices 16 , 18 connected to access points of the provider network.
  • a Customer Edge (CE) device 12 interfaces between the Private LAN network 10 and an Attachment Network 42 by way of a first mile broadband connection 21 .
  • the CE has the functionality of an Ethernet Bridge or Switch.
  • the broadband connection 21 can use Digital Subscriber Line, Passive Optical Network (PON), cable, or any other suitable broadband access technology.
  • An Access Node (AN) 20 e.g. a Digital Subscriber Line Access Multiplexer (DSLAM), may terminate the first mile broadband media 21 and map the traffic from the CE 12 onto an attachment virtual circuit (avc) in a packet trunk 25 .
  • the packet trunk 25 can transport the aggregation of many avcs between the AN 20 and an Attachment Gateway (AG) 22 .
  • Node 22 serves as a gateway to a Layer 2 provider network 40 and may also offer access to Layer 3 networks, such as the Internet 30 .
  • the node 22 can serve as the Hub for the Extended Private LAN service for the private LAN network 10 and is thus designated as a Hub Attachment Gateway (HAG).
  • HAG Hub Attachment Gateway
  • a virtual bridging function is hosted by the HAG for traffic to/from the private LAN network 10 .
  • a Layer 2 provider network 40 interconnects a large number of nodes 22 , 62 , 82 .
  • the Layer 2 provider network 40 will be described in more detail later.
  • the Layer 2 provider network 40 is an Ethernet-based network which supports Provider Link State Bridging (PLSB).
  • PLSB is described in WO 2007/03856A1.
  • Traffic is carried across Layer 2 provider network 40 in encapsulated form, such as MAC-in-MAC (IEEE 802.1ah), with encapsulation being applied at node 22 and removed at a destination edge node, such as one of nodes 62 , 82 .
  • the use of encapsulation constrains the range of MAC addresses that are required within the provider network and also helps to constrain the area over which PLSB is required to operate.
  • Roaming devices 16 , 18 can connect to the Layer 2 provider network 40 by way of (other) Attachment networks 44 , 46 .
  • Each Attachment Network 44 , 46 connects to the Layer 2 provider network 40 via a respective Visited Attachment Gateway (VAG) 62 , 82 .
  • VAG Visited Attachment Gateway
  • Each VAG 62 , 82 performs the same traffic encapsulation/de-encapsulation functions as described above for the HAG 22 .
  • Roaming devices 16 , 18 can connect to Attachment Networks 44 , 46 via access points. Access points may be provided in public areas, such as hotels and airports, and can comprise wireless LAN access points (APs) 19 or can be made over public wireless networking technologies, such as WiMAX, using attachment networks 60 .
  • APs wireless LAN access points
  • a roaming device can form a connection to Layer 2 provider network 40 via any suitable access point.
  • Roaming devices 16 , 18 can comprise portable devices which support wireless access, such as WiFi, WiMAX or any other suitable wireless access technology, or they can use a wired connection, and protocol, to connect to the access point.
  • Attachment to the provider network 40 is governed by an attachment network-specific Access Node 60 , 80 that includes an Authenticator Function. Those skilled in the art will recognise that the location and operation of the Authenticator Function varies depending on the first mile technology of the Attachment Network.
  • Each Attachment Network 44 , 46 can transparently carry Ethernet traffic to the provider's core network 40 .
  • Roaming devices 16 , 18 will have a relationship with a private local area network 10 .
  • the roaming device 16 , 18 may comprise a portable computer or game machine and may belong to the owner of the private network 10 , or one of their family members, or roaming device 16 , 18 may belong to an employee of the office at which the private LAN 10 is located.
  • VAG Visited Attachment Gateway
  • the device is authenticated (see FIG. 4 ).
  • spoke connectivity 26 , 28 is formed between the VAG 62 , 82 of the Attachment network 44 , 46 and the HAG 22 so that all packets from the device 16 , 18 are transported to the HAG virtual bridge function ( FIG. 2 , 210 ) which forwards traffic to the private LAN 10 .
  • the process of connecting the device 16 , 18 to the virtual local area network includes a step of associating, or “binding”, a Service Identifier of the extended private LAN to the access point, or port, of the Layer 2 provider network 40 that the device 16 , 18 has connected to.
  • this point can be described as a PLSB User-Network Interface (UNI).
  • the Layer 2 provider network 40 is then updated to add the port where the roaming device has attached to the network to the community of interest identified by the Service Identifier(s) via establishing connectivity between the private network 10 and the port to which devices 16 , 18 are connected to according to the multicast attributes associated with the service identifier(s).
  • the roaming device 16 , 18 can be identified using a shared secret, which is known to the roaming device and to the authentication function hosted in a Service Manager (SM) 52 located in the provider network 40 .
  • SM Service Manager
  • PLSB permits multiple forms of connectivity to be established.
  • the type of connectivity requested being a function of the multicast attributes associated with the network node 22 , 62 , 82 , advertising interest in a specific Service Identifier.
  • the actual multicast attributes are to: register no multicast interest, send interest and/or receive interest.
  • no multicast capability is required of the PLSB network, so no interested is advertised.
  • two service instances are employed, the HAG 22 advertising send multicast interest in one and receive interest in the other, and the spokes, VAGs 62 , 82 , advertising the opposite arrangement.
  • There is also a realization of an Ethernet VPN service where all end points advertise both send and receive interest with the end points all operating in “split horizon” mode.
  • the virtual LAN can be considered as a personal LAN as the community of interest can be as small as a single residence and roaming devices belonging to family members of that residence.
  • the Extended Private LAN connects the Private local area network 10 at the customer site and the roaming device 16 , 18 .
  • the Extended Private LAN connects a single private local area network 10 and a single roaming device, and this single hub and spoke connectivity is enforced by the lack of multicast attributes associated with the Service Identifier.
  • the preferred realization of the invention is not intended to connect Private local area networks at multiple premises (e.g. of family members and/or friends) into a single Extended Private LAN, although this can be achieved using the mechanisms described herein, especially where the multiple premises are connected by the same attachment network.
  • PLSB Service Identifier used to identify each service is carried as the I-SID field, 180 ( FIG. 8 ) of the 802.1ah Ethernet packets used. within the provider network 40 .
  • a service is typically the traffic of a particular enterprise or a particular telecommunications operator with which the carrier network has an agreement.
  • the provider network encapsulates Ethernet packets at an edge node, and adds a further header 150 , 160 ( FIG.
  • the encapsulation is removed from each packet at a destination edge node.
  • the encapsulation also includes the I-SID 180 .
  • a unique Service Identifier is used to identify each Extended Private LAN, the Service Identifier being assigned in the first instance to the private LAN 10 and also being assigned to roaming devices 16 , 18 as described below.
  • the provider network 40 will connect to a large number of private LANs 10 .
  • Each Extended Private LAN has a unique I-SID to identify traffic forming part of that virtual private network.
  • Ethernet flows from the CE 12 are demultiplexed from the aggregate flow 25 by an Attachment Network Termination function 202 and fed to one of a plurality of Virtual Service Instances (VSIs) 200 , there being a one-for-one match between Private LANs 10 and Virtual Service Instances 200 .
  • VSIs Virtual Service Instances
  • the Ethernet flow from the Private LAN 10 is treated as a virtual port to an Ethernet Bridge function 210 .
  • the traffic flow to the private LAN 10 is a spoke to the bridge 210 , which serves as a hub.
  • a PLSB Edge function 204 de-encapsulates Ethernet Packets received from the provider core network 40 and encapsulates Ethernet packets entering the provider core network 40 .
  • Flows 26 , 28 from the provider core network are delivered to the Ethernet Bridge function 210 by the PLSB Edge function 204 .
  • Each Ethernet packet carries an encapsulated I-SID.
  • the PLSB Edge function 204 de-encapsulates packets from roaming devices 16 , 18 and selects the VSI 200 that corresponds to the encapsulated I-SID.
  • a Residential Gateway 212 function as part of the VSI 200 , which can be realized as another spoke off of the Ethernet Bridge 210 .
  • the Residential gateway function 212 includes such functions as Firewalling and may also include Network Address translation (NAT) for traffic entering or leaving the Extended Private LAN.
  • An Access Router (AR) function 206 is responsible for routing traffic to or from the Internet 30 .
  • the Service Provider can deploy virtualized servers, such as Media gateways 220 , relating to services other than the Internet directly as spokes into the Ethernet Bridge 210 .
  • Media gateways 220 may provide services such as Internet Protocol Television (IPTV).
  • IPTV Internet Protocol Television
  • FIG. 3 shows the functionality associated with the Visited Aggregation Gateway (VAG) in an Attachment Network.
  • a PLSB Edge function 304 de-encapsulates Ethernet Packets received from the provider core network 40 and encapsulates Ethernet packets entering the provider core network 40 .
  • Ethernet flows from the Access Node are demultiplexed by an Attachment Network Termination function 302 and fed to a Virtual Circuit Cross Connect instance 340 .
  • Each Ethernet packet carries an encapsulated I-SID.
  • the I-SID uniquely identifies traffic of a particular VPN.
  • the PLSB Edge function 304 de-encapsulates packets received from the provider core network 40 and applies them to the instance of the virtual circuit cross connect 340 that corresponds to the encapsulated I-SID.
  • the PLSB Edge function 304 interfaces to the PLSB control plane and, as will be described below, advertises when a new roaming device connects to the VAG.
  • the Virtual Circuit Cross Connect maps traffic of a particular VPN (identified by an I-SID) to a virtual circuit leading to a port of an Access Node 60 , 80 to which the roaming device 16 , 18 of that VPN is connected.
  • VAG 62 , 82 also hosts an Authentication, Authorization and Accounting (AAA) Relay function 350 which participates in the authentication of roaming devices.
  • a successful authentication of a roaming device which has connected to the VAG returns an I-SID for the VPN to which the roaming device should be connected.
  • the I-SID is passed to the Virtual Circuit Cross Connect 340 .
  • the extended Private LAN allows a roaming device to access devices 15 on the private network 10 .
  • the extended Private LAN provides end-to-end Layer 2 connectivity. This will allow a user to view digital images, listen to their music library and view video content such as video clips, movies or recorded television programmes.
  • the Layer 2 connectivity between the roaming device and the devices connected to the home network allow the devices to discover one another by broadcasting conventional messages over the virtual LAN, without requiring complex protocols or assistance from other network entities. Stated another way, it allows “plug and play” behaviour between devices on the home network and any roaming device. To a user of the home network, the roaming device will appear to be another device connected directly to the home network. It is also possible for roaming devices to access other roaming devices in the same Extended Private LAN service instance for applications such as conferencing.
  • FIG. 4 shows the authentication and binding process which occurs when a roaming device 16 , 18 attempts to connect to a port of the provider network 40 .
  • the steps shown in FIG. 4 are the steps for an IEEE 802.1x Extensible Authentication Protocol (EAP) authentication protocol although it will be appreciated that other authentication protocols can be used.
  • EAP Extensible Authentication Protocol
  • the roaming device 16 , 18 initiates the access by sending an “EAPOL-start” message towards the network. In the access network shown this message is received by the Access Point 19 , which forwards it to the Authenticator, typically the Access Node (AN) 60 , 80 .
  • the Authenticator replies with an “EAPOL-Request ID” message.
  • the roaming device 16 , 18 replies with an “EAP-Response (My ID)” message which identifies the roaming device.
  • the Authenticator sends an AA-Request message, including the identity provided by the roaming device, towards the Authentication Server.
  • the message passes first through the AAA relay function 350 ( FIG. 3 ) at the VAG 62 , 82 , which in turn forwards it over the provider core network 40 to the Authentication Server.
  • the Authentication Server is typically part of the Service Manager 50 .
  • the Authentication Server responds with an AA-response which the Authenticator forwards as an “EAP-Request MD5 (Challenge)”.
  • the roaming device replies with an “EAP-Request MD5 (Response)”, which is forwarded as a further AA-Request message. If the information provided by the roaming device is acceptable, the Authentication server responds with a set of parameters for the attachment of the roaming device to the network. These parameters, which are inspected by the VAG 62 , 82 , include the service identifier (the I-SID in the preferred embodiment) corresponding to the Extended Private LAN service the device has been registered for, and the one to be used in establishing the required network connectivity, the multicast attributes suitable for the role of that port in the service instance. The parameters can also include traffic management parameters such as bandwidth limits.
  • the I-SID for the newly authenticated device 16 , 18 is locally associated by the VAG 62 , 82 with its port on the attachment network 46 that the device is connected to and on which it originated the authentication dialog.
  • the Virtual Circuit Cross Connect ( 340 , FIG. 3 ), which associates the I-SID for the private LAN service to the port to which the roaming device 18 is connected.
  • a full PLSB adaptation function exists in lieu of the Virtual Circuit Cross Connect).
  • the local node's interest in the I-SID including the multicast attributes (i.e.
  • the interest of the port of the VAG 82 which is serving the roaming device to be connected to the VPN, in the I-SID of that VPN) is advertised throughout the provider network 40 using the control plane of PLSB, which is an Intermediate System-to-Intermediate System (IS-IS) mechanism.
  • IS-IS Intermediate System-to-Intermediate System
  • This allows nodes of the provider network 40 to update their forwarding databases with instructions which allow Ethernet packets to be forwarded between the other end systems in the Extended Private LAN, including those of the private network 10 , and the new port serving the roaming device.
  • the result of this process is a Layer 2 connectivity, end-to-end, between the roaming device and the private network 10 , and any other end devices or services which share the same I-SID.
  • PLSB is an advantageous technology for the provider core network 40 in that it offers virtualization of bridged LAN segments in an efficient form, and eliminates unnecessary layers of indirection in how both the data plane and control plane works. This permits a simplified interface to the roaming infrastructure in that the Service Identifier returned by the Authentication Server can then be flooded into the IS-IS control plane of PLSB directly and the required service connectivity can be constructed in the amount of time it takes the network to converge.
  • PLSB Provider Link State Bridging
  • STP Spanning Tree Protocol
  • the bridges forming the mesh network have a synchronized view of the network topology. This is achieved via a link state routing system, specifically in the current realizations of PLSB, by the IS-IS routing system.
  • the bridges in the network have a synchronized view of the network topology, have knowledge of the requisite unicast and multicast connectivity, can compute a shortest path connectivity between any pair of bridges in the network and individually can populate the forwarding information bases (FIBs) according to the computed view of the network.
  • FIBs forwarding information bases
  • the network will have a loop-free unicast tree to any given bridge from the set of peer bridges; and a both congruent and loop-free point-to-multipoint (p2mp) multicast tree from any given bridge to the same set of peer bridges.
  • the result is the path between a given bridge pair is not constrained to transiting the root bridge of a spanning tree and the overall result can better utilize the breadth of connectivity of a mesh.
  • PLSB provides the equivalent of Ethernet bridged connectivity, but achieves this via configuration of the FIB as a consequence of computation applied to the IS-IS topology database rather than flooding and learning.
  • PBB Provider Backbone Bridges
  • Backbone MAC MAC-in-MAC with configured forwarding of B-MACs
  • client Ethernets can utilize the connectivity offered by the PLSB network without modification.
  • FIG. 5 is a schematic representation of a network utilizing PLSB. From the shared network topology each node calculates optimal shortest paths to other provider backbone bridges (PBB) or nodes in the network using a shortest path algorithm. The outcome of the application of the shortest path algorithm across the network, and the corresponding population of the FIB in the bridges provides a unique tree through the mesh from each bridge to the member bridges of the network. As shown in FIG. 5 , utilizing a shortest path algorithm allows a packet originating from device A to travel a more direct route to adjacent bridges 120 and 116 . Transparent bridging operations of flooding and learning can be mapped onto PLSB by 802.1ah PBBs implementing PLSB.
  • PBB provider backbone bridges
  • packets addressed to B from A will be MAC-in-MAC encapsulated in a multicast packet by bridge 110 using the group address assigned to that bridge and with a source address of bridge 110 .
  • the multicast message traverses the network via the PLSB tree and a copy eventually arrives at node 122 where the MAC-in-MAC encapsulation is stripped and the copy forwarded to device B.
  • the MAC-in-MAC transparent bridging function in bridge 122 observes the source B-MAC address in the MAC-in-MAC encapsulation and makes the association that to get to A it should be via bridge 110 .
  • Bridge 122 notes that the MAC-in-MAC destination for A is bridge 110 and wraps the message in a unicast packet addressed to bridge 110 .
  • the packet is sent through bridge 112 to bridge 110 which then strips the MAC-in-MAC encapsulation and forwards the packet on the correct port to reach device A.
  • bridge 110 observes that to reach B in the PLSB network it is via bridge 122 . Any future messages sent from device A to device B and vice versa may now use learned unicast forwarding across the PLSB network.
  • An additional desirable property with respect to VPNs is that multicast connectivity is constrained to a set of bridges participating in a community of interest.
  • the IEEE 802.1ah I-SID field is used to identify a community of interest.
  • the community of interest identifier can also be incorporated into routing system advertisements so that nodes may identify interest in I-SID identified communities of interest, and each bridge associates a unique group multicast address with each I-SID advertised.
  • a bridge that finds itself on the shortest path between two bridges installs the unicast MAC address(es) associated with each bridge, and the multicast MAC addresses for all I-SIDs common to the two bridges according to the advertised multicast attributes.
  • a given edge bridge will have unicast connectivity to all peer bridges, and multicast connectivity unique to each I-SID identified community of interest. This will be in the form of being a leaf on a multipoint-to-point (mp2p) unicast tree to each peer, and being the root of an (S,G) point-to-multipoint (p2mp) multicast tree, where S is the address of the source and G is the multicast group address, to the set of peer nodes for each community of interest.
  • mp2p multipoint-to-point
  • p2mp point-to-multipoint
  • the bridge pair may be transit bridges and have chosen not to offer any MAC information for flows either terminated or originated by the node. In this way, not only is multicast connectivity confined to specific groups of interest, the approach is frugal in consumption of forwarding table space for unicast connectivity.
  • the 1-SID is included in routing system advertisements.
  • FIG. 6 shows how virtual private networks (VPN) can be mapped on top of the PLSB network allowing for a unique multicast tree to be mapped per VPN per edge bridge.
  • VPN virtual private networks
  • multicast traffic is only delivered to bridges participating in the VPN.
  • VPN group multicast addresses are installed for the paths that are common.
  • Four VPN networks are identified as V 1 , V 2 , V 3 and V 4 . Each of these correspond to a virtual LAN between a customer site and a roaming device as shown in FIG. 1 .
  • Multiple VPNs can be hosted off a bridge, such as bridge 110 , and can be individual VPN end devices.
  • For each VPN for example V 1 and V 3 , unique multicast trees are created. Only routes to bridges containing end points of the corresponding VPN are identified.
  • a routing tree for V 1 paths to bridge 116 and between bridge 112 to bridge 122 and bridge 124 are required.
  • a routing tree for V 3 paths to bridges 112 and onto bridges 118 and 124 are required. This eliminates the possibility that VPN traffic from V 1 will be delivered to bridges not hosting VPN V 1 or VPN V 3 end devices.
  • Each VPN may have a tree per edge bridge unique to the VPN based upon the shortest path algorithm.
  • the format of a MAC-in-MAC data frame is shown in FIG. 7 .
  • the data frame begins with a header which comprises a backbone header 150 , an IEEE 802.1ah encapsulation header 160 and the header 170 of the customer data frame.
  • the header 170 of the customer data frame comprises an Ethernet header 172 .
  • the backbone header 150 begins with the Backbone Destination Address (B-DA) 151 and Backbone Source Address (B-SA) 52 . These addresses will correspond to addresses of a port at which the traffic enters the core network (e.g. a port of switch 22 in FIG. 1 ) and leaves the core network (e.g. a port to which the roaming device is connected).
  • B-DA Backbone Destination Address
  • B-SA Backbone Source Address
  • An IEEE 802.1ad Ethertype field 153 precedes an IEEE 802.1ad B-TAG TCI field 154 which includes a VLAN tag, also known as a B-VID (Backbone VLAN Identifier). This is used to route the encapsulated frame within the provider network 40 . Paths between nodes of the provider network are identified by a particular value of the B-VID field within the B-TAG.
  • the IEEE 802.1ah encapsulation header 160 comprises an IEEE 802.1ah Ethertype field 161 , which declares that the frame is of type MAC-in-MAC. This is followed by a four byte Extended Service VLAN Tag (I-TAG) field 162 , which uniquely identifies the individual customer service within the carrier network.
  • I-TAG Extended Service VLAN Tag
  • the header carries the header of the encapsulated customer Ethernet data frame 170 .
  • This begins with the encapsulated Ethernet header 172 which comprises an encapsulated Destination Address 173 and an encapsulated Source Address 174 .
  • These addresses correspond to addresses of the customer/end-user and can correspond, for example, to nodes A, B in FIG. 1 .
  • FIG. 8 shows the IEEE802.1ah I-TAG in more detail, and shows that it carries the Service Identifier (I-SID) 180 .
  • Other parts of the I-TAG include a priority indicator, and a drop eligibility indicator (DEI).
  • Layer 2 connectivity is provided end-to-end. It is desirable to provide layer 3 access as well, either to a corporate network or to the public internet.
  • a residential gateway is provided in the home, with router and firewall functions, and this operates at Layer 3 and provides the requisite isolation of the home network from the untrusted Internet.
  • an alternative to the conventional residential gateway is required.
  • One option is to move the usual Layer2/3 functions of the residential gateway to a node such as the Attachment Gateway 22 .
  • FIG. 2 shows a residential gateway function 212 which, together with an Access Router 206 , provides access to Layer 3 networks such as the Internet 30 .
  • Another option is to provide separate Layer 2 and Layer 3 connections between the home network and the provider network.
  • the provider network can host media stores and playout devices. Preferably, these are Universal Plug and Play (UPnP) compatible so that they can be “discovered” by any other devices in the network without requiring special configuration.
  • Other services hosted by the provider network 1 include a switched digital broadcast tuner and a Video on Demand (VoD) server.
  • VoD Video on Demand

Abstract

A virtual private network is provided across a Provider Link State Bridging (PLSB) network between a first node connected to a private LAN and a second node connected to a roaming device. The roaming device is authenticated. A successful authentication results in a Service Identifier for the VPN being sent to the second node. Connectivity between members of the VPN service instance is maintained as part of the PLSB Link State process for forwarding table maintenance, rather than by any form of explicit signalling. A single Customer Virtual Bridge/Virtual Switch Instance can be located at the first node to provide point-to-point connectivity to each roaming device. A virtual Residential Gateway function can be combined with the Customer Virtual Bridge/Virtual Switch Instance.

Description

    FIELD OF THE INVENTION
  • This invention relates to providing a virtual private network across a provider network.
    • BACKGROUND TO THE INVENTION
  • Various forms of Virtual Private Networking (VPN) technologies allow a private network to be formed between geographically separate sites, using the resources of a provider network. Existing VPN technologies are primarily aimed at the enterprise sector, and connect sites of an enterprise. In addition they may allow home workers to access the network of their employer from their home office, or allow “road warriors” to access the network of their employer while travelling. A VPN can be established at networking Layer 2 or Layer 3.
  • One type of existing Layer 2 VPN technology is the Virtual Private LAN Service (VPLS) over MPLS as described in the Internet Engineering Task Force (IETF) Requests for Comments (RFCs), numbers 4664, 4761 and 4762. This provides Ethernet multipoint-to-multipoint communication over IP/MPLS networks. Geographically dispersed sites share the same Ethernet broadcast domain and traffic between the sites is carried by a full mesh topology of “pseudo-wires” between the sites. One of the difficulties of VPLS is that when a new end point connects to the network, there is a discovery process to discover all the other end points associated with the Virtual Private LAN service, followed by signalling to set up a mesh of service-specific pseudo-wires to serve the new end point. This can take some time to achieve, will have intermediate states where only partial connectivity is available, and will generate a significant amount of telemetry due to the inefficiency of utilizing an N-squared mesh.
  • The process of creating, and updating the topology of, a VPN is further complicated when it is necessary to support roaming communication users who can connect to various points in a provider network, with the connection points often being unknown in advance. A proposal “Radius/L2TP Based VPLS”, Heinanen, J, <draft-heinanen-radius-12tp-vpls-00.txt>, describes the use of a Remote Authentication Dial In User Service (RADIUS) server as a repository for a list of VPN sites. If a new site, called a Customer Edge (CE) request to join a VPN is granted, the provider network node that it is connected to, the Provider Edge (PE) learns the identifier of the Customer Edge (CE) VPN and IP addresses of the VPN's PEs. This still requires the new PE to establish an L2TP Control Connection with each of the other PEs of the VPN. While having some desirable characteristics for the desired service model, this approach focused primarily on discovery of endpoints via a central registration authority.
  • As noted above, existing VPN technologies are primarily aimed at the enterprise sector, and are typically considered too difficult, or inflexible, to be applied at a residential scale or with fulfillment times that render them undesirable for roaming users.
  • Some specialist applications exist for allowing a user to remotely access a device or application on a home network, while away from their home. One example is described in WO 2005/122025 A2 (Sling Media). A personal media broadcasting system allows video distribution from a media source in the home to a media player at a remote location over a computer network and allows a user to view and control the media source in the home over the computer network. These specialist applications typically require bespoke software on a device in the home network and on the roaming device, and require configuration of the home network's firewall to allow the application to communicate with the roaming device. These applications typically interface directly with Layer 3, with traffic being carried over the Internet.
  • The present invention seeks to provide an alternative way of providing a Virtual Private Network across a provider network.
    • SUMMARY OF THE INVENTION
  • A Provider Link State Bridging (PLSB) network provides an instance of a virtual private Ethernet switching service between a private LAN attached to a first node of the PLSB network and at least one roaming device attached to a respective second node of the PLSB network. The PLSB network comprises a control plane and a data plane. Data packets in the PLSB network carry I-SID identifiers to differentiate traffic of different network users. A virtual bridging function is provided at the first node. A first I-SID identifier is allocated to traffic of the virtual private Ethernet switching service instance in the PLSB network. A PLSB path labeled by the first I-SID is established between the virtual bridging function and each respective second node. The roaming device is authenticated for access to the virtual private Ethernet switching service. A successful authentication returns the first I-SID to the second node. The first I-SID is added to a list of I-SIDs to be advertised into the PLSB network by the second node. The first I-SID identifier is advertised into the PLSB network by the virtual bridging function and the second node. The advertising is via the control plane of the PLSB network. A PLSB path is established by the PLSB control plane in response to the advertising. The roaming device is bound to a PLSB UNI interface at the second node using the first I-SID. Traffic is bridged at the virtual bridging function between the private LAN and the PLSB path to each second node.
  • The instance of a virtual private Ethernet switching service can also be considered as an Ethernet virtual private network (VPN) service which connects devices on the private LAN to the roaming device, or devices. Effectively, this creates an Extended Private LAN.
  • Roaming devices are authenticated before joining the instance of the virtual private network service. Use of Provider Link State Bridging (PLSB) simplifies the process of updating the connectivity of the virtual private network as an authenticated roaming device connects to a network access point or disconnects from a network access point. One advantage is that connectivity between members of a particular VPN is maintained as part of the PLSB Link State process for forwarding table maintenance, and does not require any form of explicit signalling or additional endpoint discovery procedures. This can allow a large number of VPNs to be formed at any time, such as providing a VPN for each private premises. It can also allow newly authenticated roaming devices to be added to a VPN on demand, in real-time, or near-real time, even across large provider networks and in situations where a roaming device connects to a network access point which that device has not used before.
  • Advantageously, PLSB provides for a number of embodiments of VPN connectivity. The simplest and most scalable is to provide a single virtual bridging function for each virtual private network instance, and to locate the virtual bridging function at the first node of the PLSB network. The virtual bridging function serves as a hub and each PLSB path to a respective second node is a point-to-point connection or ‘spoke’. Each VPN instance therefore has a simple hub-and-spoke topology. This can significantly help to scale the number of supported VPNs. There can be a single roaming device, or multiple roaming devices. A single roaming device obviates the need for multicast state to be installed for the VPN. More complex network based connectivity models are possible with PLSB, elaborated upon further in the description.
  • End-to-end Layer 2 (Ethernet) connectivity is particularly advantageous as it allows Ethernet “plug and play” behaviour between devices on the private LAN and any roaming device. The Layer 2 connectivity between the roaming device and the devices connected to the private LAN allow the devices to discover one another by broadcasting conventional messages over the virtual private network, without requiring complex protocols or assistance from other network entities.
  • The functionality described here can be implemented in software, hardware or a combination of these. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. Accordingly, another aspect of the invention provides software for performing any of the steps of the method. The software comprises instructions which, when executed by a processor, cause the processor to perform the described method. The software may be tangibly embodied on an electronic memory device, hard disk, optical disk or any other machine-readable storage medium. The software may be delivered as a computer program product on a machine-readable carrier or it may be downloaded to a node of the network via a network connection.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Embodiments of the invention will be described, by way of example only, with reference to the accompanying drawings in which:
  • FIG. 1 shows an embodiment of an Extended Private LAN, being the extension of a residential LAN across a provider network to include two roaming devices;
  • FIG. 2 shows the functionality associated with the Hub Aggregation Gateway (HAG) of FIG. 1;
  • FIG. 3 shows the functionality associated with the Visited Aggregation Gateway (VAG) of FIG. 1;
  • FIG. 4 shows a process of authenticating one roaming device to join an Extended Private LAN;
  • FIGS. 5 and 6 show an example of a provider network supporting PLSB which can used in FIG. 1;
  • FIG. 7 shows the format of a MAC-in-MAC frame used across the provider network; and,
  • FIG. 8 shows the location of a Service Identifier (I-SID) within the MAC-in-MAC frame of FIG. 7.
    •  DESCRIPTION OF PREFERRED EMBODIMENTS
  • FIG. 1 shows a provider network 1 in accordance with an embodiment of the invention. The provider network 1 comprises a core network 40 and attachment networks 42, 44, 46. A communications subscriber has a private LAN network 10 at a premises 14, such as a home, office or other site. In a conventional manner, the private LAN network 10 comprises a wired or wireless Ethernet-based distribution network which connects devices 15. Devices 15 can include: a communication device; a server which stores music, video, digital images or any other form of media content; a broadcast receiver; a Personal Video Recorder (PVR); a printer; a home appliance; a security system; a home environment control system (e.g. controlling lighting, heating etc.) or any other device which is capable of being connected to the network.
  • In embodiments of the invention, an Extended Private LAN service is provided which has the effect of extending the private LAN 10 across the provider network 1 to roaming devices 16, 18 connected to access points of the provider network.
  • A Customer Edge (CE) device 12 interfaces between the Private LAN network 10 and an Attachment Network 42 by way of a first mile broadband connection 21. The CE has the functionality of an Ethernet Bridge or Switch. The broadband connection 21 can use Digital Subscriber Line, Passive Optical Network (PON), cable, or any other suitable broadband access technology. An Access Node (AN) 20, e.g. a Digital Subscriber Line Access Multiplexer (DSLAM), may terminate the first mile broadband media 21 and map the traffic from the CE 12 onto an attachment virtual circuit (avc) in a packet trunk 25. The packet trunk 25 can transport the aggregation of many avcs between the AN 20 and an Attachment Gateway (AG) 22. Node 22 serves as a gateway to a Layer 2 provider network 40 and may also offer access to Layer 3 networks, such as the Internet 30. In an embodiment, the node 22 can serve as the Hub for the Extended Private LAN service for the private LAN network 10 and is thus designated as a Hub Attachment Gateway (HAG). A virtual bridging function is hosted by the HAG for traffic to/from the private LAN network 10.
  • A Layer 2 provider network 40 interconnects a large number of nodes 22, 62, 82. The Layer 2 provider network 40 will be described in more detail later. In a preferred embodiment the Layer 2 provider network 40 is an Ethernet-based network which supports Provider Link State Bridging (PLSB). PLSB is described in WO 2007/03856A1. Traffic is carried across Layer 2 provider network 40 in encapsulated form, such as MAC-in-MAC (IEEE 802.1ah), with encapsulation being applied at node 22 and removed at a destination edge node, such as one of nodes 62, 82. The use of encapsulation constrains the range of MAC addresses that are required within the provider network and also helps to constrain the area over which PLSB is required to operate. Roaming devices 16, 18 can connect to the Layer 2 provider network 40 by way of (other) Attachment networks 44, 46. Each Attachment Network 44, 46 connects to the Layer 2 provider network 40 via a respective Visited Attachment Gateway (VAG) 62, 82. Each VAG 62, 82 performs the same traffic encapsulation/de-encapsulation functions as described above for the HAG 22. Roaming devices 16, 18 can connect to Attachment Networks 44, 46 via access points. Access points may be provided in public areas, such as hotels and airports, and can comprise wireless LAN access points (APs) 19 or can be made over public wireless networking technologies, such as WiMAX, using attachment networks 60. More generally, a roaming device can form a connection to Layer 2 provider network 40 via any suitable access point. Roaming devices 16, 18 can comprise portable devices which support wireless access, such as WiFi, WiMAX or any other suitable wireless access technology, or they can use a wired connection, and protocol, to connect to the access point. Attachment to the provider network 40 is governed by an attachment network- specific Access Node 60, 80 that includes an Authenticator Function. Those skilled in the art will recognise that the location and operation of the Authenticator Function varies depending on the first mile technology of the Attachment Network. Each Attachment Network 44, 46 can transparently carry Ethernet traffic to the provider's core network 40.
  • Roaming devices 16, 18 will have a relationship with a private local area network 10. For example, the roaming device 16, 18 may comprise a portable computer or game machine and may belong to the owner of the private network 10, or one of their family members, or roaming device 16, 18 may belong to an employee of the office at which the private LAN 10 is located. When a roaming device 16, 18 attempts to connect to a Visited Attachment Gateway (VAG) 62, 82 of the provider network 40, the device is authenticated (see FIG. 4). In an embodiment of the invention, if the device is successfully authenticated spoke connectivity 26, 28 is formed between the VAG 62, 82 of the Attachment network 44, 46 and the HAG 22 so that all packets from the device 16, 18 are transported to the HAG virtual bridge function (FIG. 2, 210) which forwards traffic to the private LAN 10.
  • The process of connecting the device 16, 18 to the virtual local area network includes a step of associating, or “binding”, a Service Identifier of the extended private LAN to the access point, or port, of the Layer 2 provider network 40 that the device 16, 18 has connected to. In a PLSB network this point can be described as a PLSB User-Network Interface (UNI). The Layer 2 provider network 40 is then updated to add the port where the roaming device has attached to the network to the community of interest identified by the Service Identifier(s) via establishing connectivity between the private network 10 and the port to which devices 16, 18 are connected to according to the multicast attributes associated with the service identifier(s). The roaming device 16, 18 can be identified using a shared secret, which is known to the roaming device and to the authentication function hosted in a Service Manager (SM) 52 located in the provider network 40.
  • PLSB permits multiple forms of connectivity to be established. The type of connectivity requested being a function of the multicast attributes associated with the network node 22, 62, 82, advertising interest in a specific Service Identifier. The actual multicast attributes are to: register no multicast interest, send interest and/or receive interest. For one realization of a simple hub and single spoke topology, no multicast capability is required of the PLSB network, so no interested is advertised. In another realization of the hub and spoke topology, particularly with lager number of spokes, two service instances are employed, the HAG 22 advertising send multicast interest in one and receive interest in the other, and the spokes, VAGs 62, 82, advertising the opposite arrangement. There is also a realization of an Ethernet VPN service where all end points advertise both send and receive interest with the end points all operating in “split horizon” mode.
  • In this way, dynamic membership changes to a virtual local area network 10 are established across the provider network 40 with a wide area of coverage. The virtual LAN can be considered as a personal LAN as the community of interest can be as small as a single residence and roaming devices belonging to family members of that residence. The Extended Private LAN connects the Private local area network 10 at the customer site and the roaming device 16, 18. In the simplest case, the Extended Private LAN connects a single private local area network 10 and a single roaming device, and this single hub and spoke connectivity is enforced by the lack of multicast attributes associated with the Service Identifier.
  • The preferred realization of the invention is not intended to connect Private local area networks at multiple premises (e.g. of family members and/or friends) into a single Extended Private LAN, although this can be achieved using the mechanisms described herein, especially where the multiple premises are connected by the same attachment network.
  • It is desirable that the process of connecting roaming devices to the Extended Private LAN network is performed with minimal complexity, both to the user of the roaming device 16, 18, and to the provider network 40. The use of PLSB is particularly advantageous in minimizing the overhead. In PLSB networks the Service Identifier used to identify each service is carried as the I-SID field, 180 (FIG. 8) of the 802.1ah Ethernet packets used. within the provider network 40. In the context of a provider network, a service is typically the traffic of a particular enterprise or a particular telecommunications operator with which the carrier network has an agreement. The provider network encapsulates Ethernet packets at an edge node, and adds a further header 150, 160 (FIG. 7) for the purpose of routing the packet across the provider network. The encapsulation is removed from each packet at a destination edge node. The encapsulation also includes the I-SID 180. In the present invention, a unique Service Identifier is used to identify each Extended Private LAN, the Service Identifier being assigned in the first instance to the private LAN 10 and also being assigned to roaming devices 16, 18 as described below. Referring again to FIG. 1, the provider network 40 will connect to a large number of private LANs 10. Each Extended Private LAN has a unique I-SID to identify traffic forming part of that virtual private network.
  • The Extended Private LAN service is supported by functions performed at a HAG 22 which are shown in FIG. 2. Those skilled in the art will understand that although, for the purposes of clarity, the functions are depicted as separate entities, the functions can be realized in various other ways. Ethernet flows from the CE 12, are demultiplexed from the aggregate flow 25 by an Attachment Network Termination function 202 and fed to one of a plurality of Virtual Service Instances (VSIs) 200, there being a one-for-one match between Private LANs 10 and Virtual Service Instances 200. Specifically, the Ethernet flow from the Private LAN 10 is treated as a virtual port to an Ethernet Bridge function 210. Thus, the traffic flow to the private LAN 10 is a spoke to the bridge 210, which serves as a hub. A PLSB Edge function 204 de-encapsulates Ethernet Packets received from the provider core network 40 and encapsulates Ethernet packets entering the provider core network 40. Flows 26, 28 from the provider core network are delivered to the Ethernet Bridge function 210 by the PLSB Edge function 204. Each Ethernet packet carries an encapsulated I-SID. The PLSB Edge function 204 de-encapsulates packets from roaming devices 16, 18 and selects the VSI 200 that corresponds to the encapsulated I-SID.
  • In some embodiments of the invention there will be a Residential Gateway 212 function as part of the VSI 200, which can be realized as another spoke off of the Ethernet Bridge 210. The Residential gateway function 212 includes such functions as Firewalling and may also include Network Address translation (NAT) for traffic entering or leaving the Extended Private LAN. An Access Router (AR) function 206 is responsible for routing traffic to or from the Internet 30. As a further enhancement, the Service Provider can deploy virtualized servers, such as Media gateways 220, relating to services other than the Internet directly as spokes into the Ethernet Bridge 210. Media gateways 220 may provide services such as Internet Protocol Television (IPTV).
  • FIG. 3 shows the functionality associated with the Visited Aggregation Gateway (VAG) in an Attachment Network. A PLSB Edge function 304 de-encapsulates Ethernet Packets received from the provider core network 40 and encapsulates Ethernet packets entering the provider core network 40. Ethernet flows from the Access Node are demultiplexed by an Attachment Network Termination function 302 and fed to a Virtual Circuit Cross Connect instance 340. Each Ethernet packet carries an encapsulated I-SID. The I-SID uniquely identifies traffic of a particular VPN. The PLSB Edge function 304 de-encapsulates packets received from the provider core network 40 and applies them to the instance of the virtual circuit cross connect 340 that corresponds to the encapsulated I-SID. The PLSB Edge function 304 interfaces to the PLSB control plane and, as will be described below, advertises when a new roaming device connects to the VAG. The Virtual Circuit Cross Connect maps traffic of a particular VPN (identified by an I-SID) to a virtual circuit leading to a port of an Access Node 60, 80 to which the roaming device 16, 18 of that VPN is connected. VAG 62, 82 also hosts an Authentication, Authorization and Accounting (AAA) Relay function 350 which participates in the authentication of roaming devices. A successful authentication of a roaming device which has connected to the VAG returns an I-SID for the VPN to which the roaming device should be connected. The I-SID is passed to the Virtual Circuit Cross Connect 340.
  • Once established, the extended Private LAN allows a roaming device to access devices 15 on the private network 10. The extended Private LAN provides end-to-end Layer 2 connectivity. This will allow a user to view digital images, listen to their music library and view video content such as video clips, movies or recorded television programmes. The Layer 2 connectivity between the roaming device and the devices connected to the home network allow the devices to discover one another by broadcasting conventional messages over the virtual LAN, without requiring complex protocols or assistance from other network entities. Stated another way, it allows “plug and play” behaviour between devices on the home network and any roaming device. To a user of the home network, the roaming device will appear to be another device connected directly to the home network. It is also possible for roaming devices to access other roaming devices in the same Extended Private LAN service instance for applications such as conferencing.
  • FIG. 4 shows the authentication and binding process which occurs when a roaming device 16, 18 attempts to connect to a port of the provider network 40. The steps shown in FIG. 4 are the steps for an IEEE 802.1x Extensible Authentication Protocol (EAP) authentication protocol although it will be appreciated that other authentication protocols can be used. The roaming device 16, 18 initiates the access by sending an “EAPOL-start” message towards the network. In the access network shown this message is received by the Access Point 19, which forwards it to the Authenticator, typically the Access Node (AN) 60, 80. The Authenticator replies with an “EAPOL-Request ID” message. The roaming device 16, 18 replies with an “EAP-Response (My ID)” message which identifies the roaming device. The Authenticator sends an AA-Request message, including the identity provided by the roaming device, towards the Authentication Server. The message passes first through the AAA relay function 350 (FIG. 3) at the VAG 62,82, which in turn forwards it over the provider core network 40 to the Authentication Server. The Authentication Server is typically part of the Service Manager 50. The Authentication Server responds with an AA-response which the Authenticator forwards as an “EAP-Request MD5 (Challenge)”. The roaming device replies with an “EAP-Request MD5 (Response)”, which is forwarded as a further AA-Request message. If the information provided by the roaming device is acceptable, the Authentication server responds with a set of parameters for the attachment of the roaming device to the network. These parameters, which are inspected by the VAG 62,82, include the service identifier (the I-SID in the preferred embodiment) corresponding to the Extended Private LAN service the device has been registered for, and the one to be used in establishing the required network connectivity, the multicast attributes suitable for the role of that port in the service instance. The parameters can also include traffic management parameters such as bandwidth limits. The I-SID for the newly authenticated device 16, 18 is locally associated by the VAG 62,82 with its port on the attachment network 46 that the device is connected to and on which it originated the authentication dialog. In the simpler embodiments, those that are pure hub and spoke this is achieved by using the Virtual Circuit Cross Connect (340, FIG. 3), which associates the I-SID for the private LAN service to the port to which the roaming device 18 is connected. (In more complex embodiments, a full PLSB adaptation function exists in lieu of the Virtual Circuit Cross Connect). The local node's interest in the I-SID including the multicast attributes (i.e. the interest of the port of the VAG 82, which is serving the roaming device to be connected to the VPN, in the I-SID of that VPN) is advertised throughout the provider network 40 using the control plane of PLSB, which is an Intermediate System-to-Intermediate System (IS-IS) mechanism. This allows nodes of the provider network 40 to update their forwarding databases with instructions which allow Ethernet packets to be forwarded between the other end systems in the Extended Private LAN, including those of the private network 10, and the new port serving the roaming device. The result of this process is a Layer 2 connectivity, end-to-end, between the roaming device and the private network 10, and any other end devices or services which share the same I-SID.
  • PLSB is an advantageous technology for the provider core network 40 in that it offers virtualization of bridged LAN segments in an efficient form, and eliminates unnecessary layers of indirection in how both the data plane and control plane works. This permits a simplified interface to the roaming infrastructure in that the Service Identifier returned by the Authentication Server can then be flooded into the IS-IS control plane of PLSB directly and the required service connectivity can be constructed in the amount of time it takes the network to converge.
  • An overview of relevant features of PLSB will now be given. A fuller description can be found in published Patent Application WO 2007/03856A1. Provider Link State Bridging (PLSB) enables Ethernet networks to be scaled from the LAN space to the WAN or provider network space by providing more efficient use of network capacity with loop-free shortest path forwarding. Rather than utilizing a learned network view at each node by using the Spanning Tree Protocol (STP) algorithm combined with transparent bridging, in a PLSB based network the bridges forming the mesh network have a synchronized view of the network topology. This is achieved via a link state routing system, specifically in the current realizations of PLSB, by the IS-IS routing system. The bridges in the network have a synchronized view of the network topology, have knowledge of the requisite unicast and multicast connectivity, can compute a shortest path connectivity between any pair of bridges in the network and individually can populate the forwarding information bases (FIBs) according to the computed view of the network. When all nodes have computed their role in the synchronized view and populated their FIBs, the network will have a loop-free unicast tree to any given bridge from the set of peer bridges; and a both congruent and loop-free point-to-multipoint (p2mp) multicast tree from any given bridge to the same set of peer bridges. The result is the path between a given bridge pair is not constrained to transiting the root bridge of a spanning tree and the overall result can better utilize the breadth of connectivity of a mesh.
  • PLSB provides the equivalent of Ethernet bridged connectivity, but achieves this via configuration of the FIB as a consequence of computation applied to the IS-IS topology database rather than flooding and learning. As such it can be used by emerging standards such as IEEE 802.1ah Provider Backbone Bridges (PBB) or MAC-in-MAC with configured forwarding of B-MACs (Backbone MAC) and trivial modifications to the PBB adaptation function, to map client broadcast behavior to PLSB multicast, such that client Ethernets can utilize the connectivity offered by the PLSB network without modification.
  • FIG. 5 is a schematic representation of a network utilizing PLSB. From the shared network topology each node calculates optimal shortest paths to other provider backbone bridges (PBB) or nodes in the network using a shortest path algorithm. The outcome of the application of the shortest path algorithm across the network, and the corresponding population of the FIB in the bridges provides a unique tree through the mesh from each bridge to the member bridges of the network. As shown in FIG. 5, utilizing a shortest path algorithm allows a packet originating from device A to travel a more direct route to adjacent bridges 120 and 116. Transparent bridging operations of flooding and learning can be mapped onto PLSB by 802.1ah PBBs implementing PLSB. For example, if location of client device B is unknown to the bridge 110 in the PLSB network, packets addressed to B from A will be MAC-in-MAC encapsulated in a multicast packet by bridge 110 using the group address assigned to that bridge and with a source address of bridge 110. The multicast message traverses the network via the PLSB tree and a copy eventually arrives at node 122 where the MAC-in-MAC encapsulation is stripped and the copy forwarded to device B. The MAC-in-MAC transparent bridging function in bridge 122 observes the source B-MAC address in the MAC-in-MAC encapsulation and makes the association that to get to A it should be via bridge 110. Device B when replying to the message then sends a message addressed to “A” to bridge 122. Bridge 122 notes that the MAC-in-MAC destination for A is bridge 110 and wraps the message in a unicast packet addressed to bridge 110. The packet is sent through bridge 112 to bridge 110 which then strips the MAC-in-MAC encapsulation and forwards the packet on the correct port to reach device A. Similarly, bridge 110 observes that to reach B in the PLSB network it is via bridge 122. Any future messages sent from device A to device B and vice versa may now use learned unicast forwarding across the PLSB network.
  • An additional desirable property with respect to VPNs is that multicast connectivity is constrained to a set of bridges participating in a community of interest. The IEEE 802.1ah I-SID field is used to identify a community of interest. The community of interest identifier can also be incorporated into routing system advertisements so that nodes may identify interest in I-SID identified communities of interest, and each bridge associates a unique group multicast address with each I-SID advertised. A bridge that finds itself on the shortest path between two bridges installs the unicast MAC address(es) associated with each bridge, and the multicast MAC addresses for all I-SIDs common to the two bridges according to the advertised multicast attributes. The consequence of this is that a given edge bridge will have unicast connectivity to all peer bridges, and multicast connectivity unique to each I-SID identified community of interest. This will be in the form of being a leaf on a multipoint-to-point (mp2p) unicast tree to each peer, and being the root of an (S,G) point-to-multipoint (p2mp) multicast tree, where S is the address of the source and G is the multicast group address, to the set of peer nodes for each community of interest. If the bridge pair has no I-SIDs in common, a further refinement could be that no unicast MAC address is installed. Similarly the bridge pair may be transit bridges and have chosen not to offer any MAC information for flows either terminated or originated by the node. In this way, not only is multicast connectivity confined to specific groups of interest, the approach is frugal in consumption of forwarding table space for unicast connectivity. The 1-SID is included in routing system advertisements.
  • FIG. 6 shows how virtual private networks (VPN) can be mapped on top of the PLSB network allowing for a unique multicast tree to be mapped per VPN per edge bridge. In the multicast VPN scenario multicast traffic is only delivered to bridges participating in the VPN. VPN group multicast addresses are installed for the paths that are common. Four VPN networks are identified as V1, V2, V3 and V4. Each of these correspond to a virtual LAN between a customer site and a roaming device as shown in FIG. 1. Multiple VPNs can be hosted off a bridge, such as bridge 110, and can be individual VPN end devices. For each VPN, for example V1 and V3, unique multicast trees are created. Only routes to bridges containing end points of the corresponding VPN are identified. For example a routing tree for V1, paths to bridge 116 and between bridge 112 to bridge 122 and bridge 124 are required. Similarly, a routing tree for V3, paths to bridges 112 and onto bridges 118 and 124 are required. This eliminates the possibility that VPN traffic from V1 will be delivered to bridges not hosting VPN V1 or VPN V3 end devices. Each VPN may have a tree per edge bridge unique to the VPN based upon the shortest path algorithm.
  • For completeness, the format of a MAC-in-MAC data frame is shown in FIG. 7. The data frame begins with a header which comprises a backbone header 150, an IEEE 802.1ah encapsulation header 160 and the header 170 of the customer data frame. The header 170 of the customer data frame comprises an Ethernet header 172. The backbone header 150 begins with the Backbone Destination Address (B-DA) 151 and Backbone Source Address (B-SA) 52. These addresses will correspond to addresses of a port at which the traffic enters the core network (e.g. a port of switch 22 in FIG. 1) and leaves the core network (e.g. a port to which the roaming device is connected). An IEEE 802.1ad Ethertype field 153 precedes an IEEE 802.1ad B-TAG TCI field 154 which includes a VLAN tag, also known as a B-VID (Backbone VLAN Identifier). This is used to route the encapsulated frame within the provider network 40. Paths between nodes of the provider network are identified by a particular value of the B-VID field within the B-TAG. Next, the IEEE 802.1ah encapsulation header 160 comprises an IEEE 802.1ah Ethertype field 161, which declares that the frame is of type MAC-in-MAC. This is followed by a four byte Extended Service VLAN Tag (I-TAG) field 162, which uniquely identifies the individual customer service within the carrier network. Finally, the header carries the header of the encapsulated customer Ethernet data frame 170. This begins with the encapsulated Ethernet header 172, which comprises an encapsulated Destination Address 173 and an encapsulated Source Address 174. These addresses correspond to addresses of the customer/end-user and can correspond, for example, to nodes A, B in FIG. 1. FIG. 8 shows the IEEE802.1ah I-TAG in more detail, and shows that it carries the Service Identifier (I-SID) 180. Other parts of the I-TAG (not shown) include a priority indicator, and a drop eligibility indicator (DEI).
  • It has been described how Layer 2 connectivity is provided end-to-end. It is desirable to provide layer 3 access as well, either to a corporate network or to the public internet. In a conventional residential broadband access scenario, a residential gateway is provided in the home, with router and firewall functions, and this operates at Layer 3 and provides the requisite isolation of the home network from the untrusted Internet. To permit Layer 2 access, an alternative to the conventional residential gateway is required. One option is to move the usual Layer2/3 functions of the residential gateway to a node such as the Attachment Gateway 22. FIG. 2 shows a residential gateway function 212 which, together with an Access Router 206, provides access to Layer 3 networks such as the Internet 30. Another option is to provide separate Layer 2 and Layer 3 connections between the home network and the provider network.
  • With the topology shown in FIG. 1 it is possible to provide some new services, and it is possible to provide some conventional services in a more efficient manner. The provider network can host media stores and playout devices. Preferably, these are Universal Plug and Play (UPnP) compatible so that they can be “discovered” by any other devices in the network without requiring special configuration. Other services hosted by the provider network 1 include a switched digital broadcast tuner and a Video on Demand (VoD) server.
  • The availability of ubiquitous layer 2 connectivity with roaming enables a number of applications specific to the community of interest instantiated in the VPN. This is with respect to applications such as gaming, nailed up communication (known as push-to-talk), and intra community communications services (“family plans”).
  • The invention is not limited to the embodiments described herein, which may be modified or varied without departing from the scope of the invention.

Claims (39)

1. In a Provider Link State Bridging (PLSB) network, a method of providing an instance of a virtual private Ethernet switching service between a private LAN attached to a first node of the PLSB network and at least one roaming device attached to a respective second node of the PLSB network, the PLSB network comprising a control plane and a data plane, data packets in the PLSB network carrying I-SID identifiers to differentiate traffic of different network users, a first I-SID identifier being allocated to traffic of the virtual private Ethernet switching service instance, the method comprising:
receiving a request to authenticate the roaming device for access to the virtual private Ethernet switching service from the second node;
sending the first I-SID to the second node upon a successful authentication.
2. The method according to claim 1, the method further comprising authenticating the roaming device for access to the virtual private Ethernet switching service.
3. The method according to claim 2, wherein the step of authenticating the roaming device uses a standard authentication protocol that has been adapted to return an I-SID.
4. The method according to claim 3, wherein the authentication protocol is one of: RADIUS, DIAMETER.
5. The method according to claim 2, wherein the step of authenticating the roaming device is performed at an authentication server.
6. The method according to claim 5, wherein the first I-SID is sent to the second node from the authentication server.
7. The method according to claim 1, wherein the step of sending the first I-SID to the second node comprises sending the first I-SID in the form of a parameter to enable the attachment of the roaming device to the network.
8. The method according to claim 1, the method further comprising providing a virtual bridging function at the first node.
9. The method according to claim 8, the method further comprising bridging traffic at the virtual bridging function between the private LAN and the PLSB path to each second node.
10. The method according to claim 8, further comprising:
providing a Virtual Residential Gateway as a virtual port attached to the virtual bridging function, the Virtual Residential Gateway providing access to a Layer 3 network; and
routing traffic of the virtual private Ethernet switching service instance, which is destined for the Layer 3 network, through the Virtual Residential Gateway.
11. The method according to claim 10 wherein the Layer 3 network is the Internet.
12. The method according to claim 8, the method further comprising:
providing a further service for any of: the private LAN and the at least one roaming device, the further service being provided as a virtual port attached to the virtual bridging function.
13. The method according to claim 12 wherein the further service comprises at least one of: video-on-demand, Voice over Internet Protocol (VoIP), Internet Protocol Television (IPTV).
14. The method according to claim 1 wherein the private LAN serves a private premises and the roaming device is a device associated with the private premises.
15. Apparatus for providing an instance of a virtual private Ethernet switching service between a private LAN attached to a first node of a PLSB network and at least one roaming device attached to a respective second node of the PLSB network, the PLSB network comprising a control plane and a data plane, data packets in the PLSB network carrying I-SID identifiers to differentiate traffic of different network users, a first I-SID identifier being allocated to traffic of the virtual private Ethernet switching service instance, the apparatus being configured to:
receive a request to authenticate the roaming device for access to the virtual private Ethernet switching service from the second node; and
send the first I-SID to the second node upon a successful authentication.
16. The apparatus according to claim 15, wherein the apparatus comprises the first node of the PLSB network.
17. The apparatus according to claim 16, wherein there is a virtual bridging function at the first node for bridging traffic of the virtual private Ethernet switching service instance.
18. The apparatus according to claim 17, further comprising a Virtual Residential Gateway attached to the virtual bridging function which is arranged to provide a gateway to a Layer 3 network for traffic of the virtual private Ethernet switching service.
19. A non-transitory computer readable medium on which is stored instructions which, when executed by a processor, cause the processor to perform the method of claim 1.
20. In a Provider Link State Bridging (PLSB) network, a method of adding a roaming device to a virtual private Ethernet switching service instance for a private LAN connected to a first node of the PLSB network, the PLSB network comprising a control plane and a data plane, data packets in the PLSB network carrying I-SID identifiers to differentiate traffic of different service instances, a first I-SID identifier being allocated to traffic of the virtual private Ethernet switching service instance, the method comprising establishing a PLSB path labeled by the first I-SID between the first node and a second node by, at the second node:
receiving a request for authentication of the roaming device at the second node;
forwarding the request for authentication of the roaming device for access to the virtual private Ethernet switching service; and
receiving the first I-SID when the roaming device is authenticated.
21. The method of claim 20, further comprising adding the first I-SID to a list of I-SIDs to be advertised into the PLSB network by the second node.
22. The method of claim 21, further comprising advertising the first I-SID from the second node into the PLSB network via the control plane of the PLSB network to initiate establishment of the PLSB path.
23. The method of claim 22, further comprising binding the roaming device to a PLSB UNI interface at the respective second node using the first I-SID.
24. The method of claim 20, further comprising:
connecting the PLSB UNI to an attachment sub-network; and
forwarding the request for authentication of the roaming device by relaying authentication messaging from the attachment sub-network.
25. In a Provider Link State Bridging (PLSB) network, apparatus for adding a roaming device to a virtual private Ethernet switching service instance for a private LAN connected to a first node of the PLSB network, the PLSB network comprising a control plane and a data plane, data packets in the PLSB network carrying I-SID identifiers to differentiate traffic of different service instances, a first I-SID identifier being allocated to traffic of the virtual private Ethernet switching service instance, the apparatus comprising, at the second node:
an access network termination through which the roaming device can connect to the PLSB network; and
a controller operable:
to receive a request for authentication from the roaming device at the second node;
to forward the request for authentication of the roaming device for access to the virtual private Ethernet switching service; and
to receive the first I-SID when the roaming device is authenticated.
26. The apparatus of claim 25, wherein the controller is further operable to add the first I-SID to a list of I-SIDs to be advertised into the PLSB network by the respective second node.
27. The apparatus of claim 26, wherein the controller is further operable to advertise the first I-SID into the PLSB network via the control plane of the PLSB network to initiate establishment of the PLSB path.
28. The apparatus of claim 27, wherein the controller is further operable to bind the roaming device to a PLSB UNI interface at the respective second node using the first I-SID.
29. The apparatus of claim 25, wherein the controller is further operable:
to connect the PLSB UNI to an attachment sub-network; and
to forward the request for authentication of the roaming device by relaying authentication messaging from the attachment sub-network.
30. In a Provider Link State Bridging (PLSB) network, a method of providing an instance of a virtual private Ethernet switching service between a private LAN connected to a first node of the PLSB network and roaming devices connected to respective second nodes of the PLSB network, the PLSB network comprising a control plane and a data plane, data packets in the PLSB network carrying I-SID identifiers to differentiate traffic of different service instances, a respective I-SID being allocated to traffic of each virtual private Ethernet switching service instance, the method comprising:
providing at the first node a respective virtual bridging function for each instance of the virtual private Ethernet switching service served by the first node;
receiving at the first node an I-SID advertised by a respective second node, the advertised I-SID being allocated to traffic of a virtual private Ethernet service instance served by the first node;
determining that the received I-SID was sent by a respective second node not previously associated with the virtual private Ethernet service instance at the first node; and
associating the respective second node with the virtual private Ethernet service instance at the first node.
31. The method of claim 30, comprising establishing at the first node for an instance of the virtual private Ethernet service served by the first node a respective PLSB path between the virtual bridging function at the first node and each respective second node to establish a hub and spoke configuration between the first node and the respective second nodes for the instance of the virtual private Ethernet switching service.
32. The method of claim 30, wherein:
the advertising received at the first node from the respective second nodes indicates no multicast interest;
establishing a respective PLSB path comprises establishing a point-to-point path between the virtual bridging function at the first node and the respective second node; and
the first node replicates received multicast frames and unicasts the replicated frames to respective second nodes.
33. The method of claim 30, wherein:
the advertising received at the first node from the respective second nodes indicates multicast interest; and
the first node multicasts received multicast frames in a split horizon mode.
34. In a Provider Link State Bridging (PLSB) network for providing an instance of a virtual private Ethernet switching service between a private LAN connected to a first node of the PLSB network and roaming devices connected to respective second nodes of the PLSB network, the PLSB network comprising a control plane and a data plane, data packets in the PLSB network carrying I-SID identifiers to differentiate traffic of different service instances, a respective I-SID being allocated to traffic of each virtual private Ethernet switching service instance, apparatus at the first node comprising:
an access network termination through which the private LAN can connect to the PLSB network; and
a controller operable:
to provide a respective virtual bridging function for each instance of the virtual private Ethernet switching service served by the first node;
to receive an I-SID advertised by a respective second node, the advertised I-SID being allocated to traffic of a virtual private Ethernet service instance served by the first node;
to determine that the received I-SID was sent by a respective second node not previously associated with the virtual private Ethernet service instance at the first node; and
to associate the respective second node with the virtual private Ethernet service instance at the first node.
35. The apparatus of claim 34, wherein the controller is operable to establish at the first node for an instance of the virtual private Ethernet service served by the first node a respective PLSB path between the virtual bridging function at the first node and each respective second node to establish a hub and spoke configuration between the first node and the respective second nodes for the instance of the virtual private Ethernet switching service.
36. The apparatus of claim 34, wherein:
the advertising received at the first node from the respective second nodes indicates no multicast interest; and
the controller is operable:
to establish a respective PLSB path by establishing a point-to-point path between the virtual bridging function at the first node and the respective second node;
to replicate received multicast frames; and
to unicast the replicated frames to respective second nodes.
37. The apparatus of claim 34, wherein:
the advertising received at the first node from the respective second nodes indicates multicast interest; and
the controller is operable to multicast received multicast frames in a split horizon mode.
38. The apparatus of claim 34, further comprising an access router through which the private LAN can connect to a Layer 3 network.
39. The apparatus of claim 38, wherein the access router is operable to connect the private LAN to an Internet Protocol (IP) network.
US13/226,601 2008-09-30 2011-09-07 Extended Private LAN Abandoned US20110317678A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/226,601 US20110317678A1 (en) 2008-09-30 2011-09-07 Extended Private LAN

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/241,312 US8045570B2 (en) 2008-09-30 2008-09-30 Extended private LAN
US13/226,601 US20110317678A1 (en) 2008-09-30 2011-09-07 Extended Private LAN

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/241,312 Continuation US8045570B2 (en) 2008-09-30 2008-09-30 Extended private LAN

Publications (1)

Publication Number Publication Date
US20110317678A1 true US20110317678A1 (en) 2011-12-29

Family

ID=42057429

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/241,312 Expired - Fee Related US8045570B2 (en) 2008-09-30 2008-09-30 Extended private LAN
US13/226,601 Abandoned US20110317678A1 (en) 2008-09-30 2011-09-07 Extended Private LAN

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/241,312 Expired - Fee Related US8045570B2 (en) 2008-09-30 2008-09-30 Extended private LAN

Country Status (1)

Country Link
US (2) US8045570B2 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110179184A1 (en) * 2010-01-18 2011-07-21 Breau Jeremy R Integration Of Remote Electronic Device With Media Local Area Network
US20120215842A1 (en) * 2008-01-17 2012-08-23 Samsung Electronics Co., Ltd. Method and apparatus for outputting event of third party device in home network supporting upnp remote protocol
US9125234B1 (en) 2010-06-01 2015-09-01 Sprint Communications Company L.P. Femtocell bridging in media local area networks
US20160285762A1 (en) * 2015-03-23 2016-09-29 Brocade Communications Systems, Inc. Techniques for exchanging control and configuration information in a network visibility system
US9485801B1 (en) 2014-04-04 2016-11-01 Sprint Communications Company L.P. Mobile communication device connected to home digital network
US20160330613A1 (en) * 2014-04-03 2016-11-10 Centurylink Intellectual Property Llc System and Method for Implementing Network Experience Shifting
US9794647B1 (en) 2010-02-02 2017-10-17 Sprint Communications Company L.P. Centralized program guide
US10110710B2 (en) 2014-04-03 2018-10-23 Centurylink Intellectual Property Llc System and method for implementing extension of customer LAN at provider network service point
US10481938B2 (en) 2015-05-06 2019-11-19 Centurylink Intellectual Property Llc System and method for implementing network experience shifting
US10673978B2 (en) 2015-05-06 2020-06-02 Centurylink Intellectual Property Llc Method and system for implementing network experience shifting using shared objects
US10698569B2 (en) 2014-04-03 2020-06-30 Centurylink Intellectual Property Llc System and method for implementing customer control point or customer portal
US10750387B2 (en) 2015-03-23 2020-08-18 Extreme Networks, Inc. Configuration of rules in a network visibility system
US10911353B2 (en) 2015-06-17 2021-02-02 Extreme Networks, Inc. Architecture for a network visibility system

Families Citing this family (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8363658B1 (en) * 2008-11-13 2013-01-29 Sprint Communications Company L.P. Dynamic firewall and dynamic host configuration protocol configuration
US8479266B1 (en) 2008-11-13 2013-07-02 Sprint Communications Company L.P. Network assignment appeal architecture and process
US8341717B1 (en) 2008-11-13 2012-12-25 Sprint Communications Company L.P. Dynamic network policies based on device classification
US8230050B1 (en) * 2008-12-10 2012-07-24 Amazon Technologies, Inc. Providing access to configurable private computer networks
US9137209B1 (en) 2008-12-10 2015-09-15 Amazon Technologies, Inc. Providing local secure network access to remote services
US8201237B1 (en) 2008-12-10 2012-06-12 Amazon Technologies, Inc. Establishing secure remote access to private computer networks
US9524167B1 (en) 2008-12-10 2016-12-20 Amazon Technologies, Inc. Providing location-specific network access to remote services
US8325732B2 (en) * 2008-12-22 2012-12-04 Rockstar Consortium Us Lp Method for operating multi-domain Provider Ethernet networks
US8509248B2 (en) * 2008-12-29 2013-08-13 Juniper Networks, Inc. Routing frames in a computer network using bridge identifiers
US8199753B2 (en) * 2009-06-05 2012-06-12 Juniper Networks, Inc. Forwarding frames in a computer network using shortest path bridging
US8125928B2 (en) * 2009-07-24 2012-02-28 Juniper Networks, Inc. Routing frames in a shortest path computer network for a multi-homed legacy bridge node
KR101409698B1 (en) * 2009-12-17 2014-06-19 알까뗄 루슨트 Method and device for determining forwarding rule for data packets
US8873401B2 (en) * 2010-03-16 2014-10-28 Futurewei Technologies, Inc. Service prioritization in link state controlled layer two networks
EP2405678A1 (en) * 2010-03-30 2012-01-11 British Telecommunications public limited company System and method for roaming WLAN authentication
US8514724B2 (en) * 2011-01-13 2013-08-20 Cisco Technology, Inc. Testing connectivity in networks using overlay transport virtualization
US20120320918A1 (en) 2011-06-14 2012-12-20 International Business Business Machines Bridge port between hardware lan and virtual switch
US8751614B2 (en) 2011-10-11 2014-06-10 Telefonaktiebolaget L M Ericsson (Publ) Providing virtualized visibility through routers
US8812670B2 (en) * 2011-10-11 2014-08-19 Telefonaktiebolaget L M Ericsson (Publ) Architecture for virtualized home IP service delivery
US10015083B2 (en) * 2011-12-22 2018-07-03 Amazon Technologies, Inc. Interfaces to manage inter-region connectivity for direct network peerings
US8724642B2 (en) 2011-11-29 2014-05-13 Amazon Technologies, Inc. Interfaces to manage direct network peerings
JP5944184B2 (en) * 2012-02-29 2016-07-05 株式会社東芝 Information notification apparatus, method, program, and system
EP2850861B1 (en) 2012-05-14 2019-05-08 Nec Corporation Method and system for accessing service/data of a first network from a second network for service/data access via the second network
US9025439B2 (en) 2012-06-26 2015-05-05 Telefonaktiebolaget L M Ericsson (Publ) Method and system to enable re-routing for home networks upon connectivity failure
US9178710B2 (en) * 2012-11-01 2015-11-03 Avaya Inc. Selective multicast
EP2750349A1 (en) * 2012-12-31 2014-07-02 British Telecommunications public limited company Method and device for secure network access
US9203694B2 (en) 2013-03-15 2015-12-01 Telefonaktiebolaget L M Ericsson (Publ) Network assisted UPnP remote access
US10217145B1 (en) 2014-02-18 2019-02-26 Amazon Technologies, Inc. Partitioned private interconnects to provider networks
US9918346B2 (en) * 2015-04-17 2018-03-13 Barracuda Networks, Inc. System for connecting, securing and managing network devices with a dedicated private virtual network
US20220337679A1 (en) * 2015-05-06 2022-10-20 Centurylink Intellectual Property Llc System and method for implementing extension of customer lan at provider network service point
US9979711B2 (en) 2015-06-26 2018-05-22 Cisco Technology, Inc. Authentication for VLAN tunnel endpoint (VTEP)
US11070395B2 (en) * 2015-12-09 2021-07-20 Nokia Of America Corporation Customer premises LAN expansion
US10158567B1 (en) 2016-04-14 2018-12-18 Cisco Technology, Inc. PBB-EVPN customer MAC synchronization among all-active multi-homing PEs
US10033636B1 (en) * 2016-04-14 2018-07-24 Cisco Technology, Inc. Ethernet segment aware MAC address learning
CN110198317A (en) * 2019-05-31 2019-09-03 烽火通信科技股份有限公司 A kind of portal authentication method and system based on port
CN111049721B (en) * 2019-12-12 2021-06-29 广州鲁邦通物联网科技有限公司 OpenVPN cluster, construction method thereof, communication method and system

Citations (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060190570A1 (en) * 2005-02-19 2006-08-24 Cisco Technology, Inc. Techniques for zero touch provisioning of edge nodes for a virtual private network
US20070086361A1 (en) * 2005-10-05 2007-04-19 Nortel Networks Limited Provider link state bridging
US20070116045A1 (en) * 2005-11-02 2007-05-24 Nortel Networks Limited Method and apparatus for transporting ethernet services
US20070124368A1 (en) * 2004-02-13 2007-05-31 Envisionit Llc Message broadcasting admission control system and method
US20070123220A1 (en) * 2004-02-13 2007-05-31 Envisionit Llc Message broadcasting geo-fencing system and method
US20070165657A1 (en) * 2005-10-05 2007-07-19 Nortel Networks Limited Multicast implementation in a link state protocol controlled Ethernet network
US20070280267A1 (en) * 2006-03-03 2007-12-06 Nortel Networks Limited Completely Dry Pseudowires
US7339929B2 (en) * 2002-08-23 2008-03-04 Corrigent Systems Ltd. Virtual private LAN service using a multicast protocol
US20080172497A1 (en) * 2007-01-17 2008-07-17 Nortel Networks Limited Method and Apparatus for Interworking Ethernet and MPLS Networks
US20080186965A1 (en) * 2006-08-15 2008-08-07 Huawei Technologies Co., Ltd. Method and system for forwarding data in layer-2 network
US20080212595A1 (en) * 2007-01-25 2008-09-04 Hammerhead Systems, Inc. Mapping PBT and PBB-TE traffic to VPLS and other services
US20080247406A1 (en) * 2007-03-26 2008-10-09 Hammerhead Systems, Inc. Layer 2 virtual private network over PBB-TE/PBT and seamless interworking with VPLS
US20090041023A1 (en) * 2007-08-10 2009-02-12 Nortel Networks Limited Method and Apparatus for Interworking VPLS and Ethernet Networks
US20090190504A1 (en) * 2008-01-24 2009-07-30 Cisco Technology, Inc. Multiple I-service registration protocol (MIRP)
US20090232005A1 (en) * 2007-10-12 2009-09-17 Nortel Networks Limited IP Network and Performance Monitoring Using Ethernet OAM
US20090276827A1 (en) * 2008-04-30 2009-11-05 H3C Technologies Co., Ltd. Method and Apparatus for Network Access Control (NAC) in Roaming Services
US7630328B2 (en) * 2004-08-18 2009-12-08 At&T Intellectual Property, I,L.P. SIP-based session control
US20100020797A1 (en) * 2006-12-14 2010-01-28 Nortel Networks Limited Method and apparatus for exchanging routing information and establishing connectivity across multiple network areas
US7693164B1 (en) * 2007-02-05 2010-04-06 World Wide Packets, Inc. Configuring a packet tunnel network
US7697534B1 (en) * 2008-04-18 2010-04-13 Cisco Technology, Inc. Virtual private LAN service networks with mixed mode network devices
US7724745B1 (en) * 2006-03-09 2010-05-25 Cisco Technology, Inc. Method and device for efficient transmission of flood data frames in a backbone network
US20100309894A1 (en) * 2007-09-07 2010-12-09 Telefonaktiebolaget L M Ericsson (Publ) Method and Apparatuses for Allowing a Nomadic Terminal to Access a Home Network on Layer 2 Level
US20110038382A1 (en) * 2006-12-27 2011-02-17 Entry Point, Llc System and method to provide multiple private networks using pbb/te
US8279871B1 (en) * 2007-10-29 2012-10-02 Marvell Israel (M.I.S.L.) Ltd. Methods and apparatus for processing multi-headed packets
US8321670B2 (en) * 2008-07-11 2012-11-27 Bridgewater Systems Corp. Securing dynamic authorization messages

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7707614B2 (en) 2004-06-07 2010-04-27 Sling Media, Inc. Personal media broadcasting system with output buffer
EP2104897A4 (en) * 2007-01-17 2010-12-22 Nortel Networks Ltd Border gateway protocol extended community attribute for layer-2 and layer-3 virtual private networks using 802.1ah-based tunnels
US8442030B2 (en) * 2007-03-01 2013-05-14 Extreme Networks, Inc. Software control plane for switches and routers
US8509440B2 (en) * 2007-08-24 2013-08-13 Futurwei Technologies, Inc. PANA for roaming Wi-Fi access in fixed network architectures
US8335490B2 (en) * 2007-08-24 2012-12-18 Futurewei Technologies, Inc. Roaming Wi-Fi access in fixed network architectures
US7852849B2 (en) * 2008-03-04 2010-12-14 Bridgewater Systems Corp. Providing dynamic quality of service for virtual private networks
US8023518B2 (en) * 2008-05-02 2011-09-20 Telefonaktiebolaget L M Ericsson (Publ) Efficient path setup in a provider backbone bridge network

Patent Citations (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7339929B2 (en) * 2002-08-23 2008-03-04 Corrigent Systems Ltd. Virtual private LAN service using a multicast protocol
US20070124368A1 (en) * 2004-02-13 2007-05-31 Envisionit Llc Message broadcasting admission control system and method
US20070123220A1 (en) * 2004-02-13 2007-05-31 Envisionit Llc Message broadcasting geo-fencing system and method
US7630328B2 (en) * 2004-08-18 2009-12-08 At&T Intellectual Property, I,L.P. SIP-based session control
US7535856B2 (en) * 2005-02-19 2009-05-19 Cisco Technology, Inc. Techniques for zero touch provisioning of edge nodes for a virtual private network
US20060190570A1 (en) * 2005-02-19 2006-08-24 Cisco Technology, Inc. Techniques for zero touch provisioning of edge nodes for a virtual private network
US20070086361A1 (en) * 2005-10-05 2007-04-19 Nortel Networks Limited Provider link state bridging
US20070165657A1 (en) * 2005-10-05 2007-07-19 Nortel Networks Limited Multicast implementation in a link state protocol controlled Ethernet network
US20070116045A1 (en) * 2005-11-02 2007-05-24 Nortel Networks Limited Method and apparatus for transporting ethernet services
US20070280267A1 (en) * 2006-03-03 2007-12-06 Nortel Networks Limited Completely Dry Pseudowires
US7724745B1 (en) * 2006-03-09 2010-05-25 Cisco Technology, Inc. Method and device for efficient transmission of flood data frames in a backbone network
US20080186965A1 (en) * 2006-08-15 2008-08-07 Huawei Technologies Co., Ltd. Method and system for forwarding data in layer-2 network
US20100020797A1 (en) * 2006-12-14 2010-01-28 Nortel Networks Limited Method and apparatus for exchanging routing information and establishing connectivity across multiple network areas
US20110038382A1 (en) * 2006-12-27 2011-02-17 Entry Point, Llc System and method to provide multiple private networks using pbb/te
US20080172497A1 (en) * 2007-01-17 2008-07-17 Nortel Networks Limited Method and Apparatus for Interworking Ethernet and MPLS Networks
US20080212595A1 (en) * 2007-01-25 2008-09-04 Hammerhead Systems, Inc. Mapping PBT and PBB-TE traffic to VPLS and other services
US7693164B1 (en) * 2007-02-05 2010-04-06 World Wide Packets, Inc. Configuring a packet tunnel network
US20080247406A1 (en) * 2007-03-26 2008-10-09 Hammerhead Systems, Inc. Layer 2 virtual private network over PBB-TE/PBT and seamless interworking with VPLS
US20090041023A1 (en) * 2007-08-10 2009-02-12 Nortel Networks Limited Method and Apparatus for Interworking VPLS and Ethernet Networks
US20100309894A1 (en) * 2007-09-07 2010-12-09 Telefonaktiebolaget L M Ericsson (Publ) Method and Apparatuses for Allowing a Nomadic Terminal to Access a Home Network on Layer 2 Level
US20090232005A1 (en) * 2007-10-12 2009-09-17 Nortel Networks Limited IP Network and Performance Monitoring Using Ethernet OAM
US8279871B1 (en) * 2007-10-29 2012-10-02 Marvell Israel (M.I.S.L.) Ltd. Methods and apparatus for processing multi-headed packets
US7839800B2 (en) * 2008-01-24 2010-11-23 Cisco Technology, Inc. Multiple I-service registration protocol (MIRP)
US20090190504A1 (en) * 2008-01-24 2009-07-30 Cisco Technology, Inc. Multiple I-service registration protocol (MIRP)
US7697534B1 (en) * 2008-04-18 2010-04-13 Cisco Technology, Inc. Virtual private LAN service networks with mixed mode network devices
US20090276827A1 (en) * 2008-04-30 2009-11-05 H3C Technologies Co., Ltd. Method and Apparatus for Network Access Control (NAC) in Roaming Services
US8321670B2 (en) * 2008-07-11 2012-11-27 Bridgewater Systems Corp. Securing dynamic authorization messages

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Mario Iba'nez, Virtualization of Residential Gateways, June 2007, Telematic Engineer Department, Universidad Carlos III de Madrid, Leganes, Spain *

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120215842A1 (en) * 2008-01-17 2012-08-23 Samsung Electronics Co., Ltd. Method and apparatus for outputting event of third party device in home network supporting upnp remote protocol
US8645577B2 (en) * 2008-01-17 2014-02-04 Samsung Electronics Co., Ltd. Method and apparatus for outputting event of third party device in home network supporting UPnP remote protocol
US9118934B2 (en) * 2010-01-18 2015-08-25 Sprint Communications Company L.P. Integration of remote electronic device with media local area network
US20110179184A1 (en) * 2010-01-18 2011-07-21 Breau Jeremy R Integration Of Remote Electronic Device With Media Local Area Network
US9794647B1 (en) 2010-02-02 2017-10-17 Sprint Communications Company L.P. Centralized program guide
US9125234B1 (en) 2010-06-01 2015-09-01 Sprint Communications Company L.P. Femtocell bridging in media local area networks
US9733975B2 (en) * 2014-04-03 2017-08-15 Centurylink Intellectual Property Llc System and method for implementing network experience shifting
US20160330613A1 (en) * 2014-04-03 2016-11-10 Centurylink Intellectual Property Llc System and Method for Implementing Network Experience Shifting
US10698569B2 (en) 2014-04-03 2020-06-30 Centurylink Intellectual Property Llc System and method for implementing customer control point or customer portal
US10110710B2 (en) 2014-04-03 2018-10-23 Centurylink Intellectual Property Llc System and method for implementing extension of customer LAN at provider network service point
US10356225B2 (en) 2014-04-03 2019-07-16 Centurylink Intellectual Property Llc System and method for implementing isolated service overlays between provider network service point and customer premises
US10897523B2 (en) 2014-04-03 2021-01-19 Centurylink Intellectual Property Llc System and method for implementing isolated service overlays between provider network service point and customer premises
US10616377B2 (en) 2014-04-03 2020-04-07 Centurylink Intellectual Property Llc System and method for implementing network enhanced gateway functionality
US10666772B2 (en) 2014-04-03 2020-05-26 Centurylink Intellectual Property Llc System and method for implementing extension of customer LAN at provider network service point
US11381669B2 (en) 2014-04-03 2022-07-05 Centurylink Intellectual Property Llc System and method for implementing extension of customer LAN at provider network service point
US9485801B1 (en) 2014-04-04 2016-11-01 Sprint Communications Company L.P. Mobile communication device connected to home digital network
US10771475B2 (en) * 2015-03-23 2020-09-08 Extreme Networks, Inc. Techniques for exchanging control and configuration information in a network visibility system
US10750387B2 (en) 2015-03-23 2020-08-18 Extreme Networks, Inc. Configuration of rules in a network visibility system
US20160285762A1 (en) * 2015-03-23 2016-09-29 Brocade Communications Systems, Inc. Techniques for exchanging control and configuration information in a network visibility system
US10673978B2 (en) 2015-05-06 2020-06-02 Centurylink Intellectual Property Llc Method and system for implementing network experience shifting using shared objects
US10880399B2 (en) 2015-05-06 2020-12-29 Centurylink Intellectual Property Llc Method and system for implementing network experience shifting using shared objects
US10481938B2 (en) 2015-05-06 2019-11-19 Centurylink Intellectual Property Llc System and method for implementing network experience shifting
US11099883B2 (en) 2015-05-06 2021-08-24 Centurylink Intellectual Property Llc System and method for implementing network experience shifting
US11544101B2 (en) 2015-05-06 2023-01-03 Centurylink Intellectual Property Llc System and method for implementing network experience shifting
US11740924B2 (en) 2015-05-06 2023-08-29 Centurylink Intellectual Property Llc System and method for implementing network experience shifting
US11934860B2 (en) 2015-05-06 2024-03-19 Centurylink Intellectual Property Llc System and method for implementing network experience shifting
US10911353B2 (en) 2015-06-17 2021-02-02 Extreme Networks, Inc. Architecture for a network visibility system

Also Published As

Publication number Publication date
US20100080238A1 (en) 2010-04-01
US8045570B2 (en) 2011-10-25

Similar Documents

Publication Publication Date Title
US8045570B2 (en) Extended private LAN
US10693679B2 (en) Using multiple ethernet virtual private network (EVPN) routes for corresponding service interfaces of a subscriber interface
Gleeson et al. A framework for IP based virtual private networks
US9055001B2 (en) Border gateway protocol extended community attribute for layer-2 and layer-3 virtual private networks
US11296908B2 (en) Using multiple ethernet virtual private network (EVPN) routes for corresponding service interfaces of a subscriber interface
US8051201B2 (en) Method for providing scalable multicast service in a virtual private LAN service
US7898965B2 (en) IP network and performance monitoring using ethernet OAM
EP1695508B1 (en) Ethernet dsl access multiplexer and method providing dynamic service selection and end-user configuration
US8953590B1 (en) Layer two virtual private network having control plane address learning supporting multi-homed customer networks
US20080198858A1 (en) Simple Virtual Private Network For Small Local Area Networks
EP3937433A1 (en) Point-to-multipoint functionality in a bridged network
Guichard et al. MPLS and VPN architectures
KR20110104484A (en) A method for operating multi-domain provider ethernet networks
Shah et al. Ip-only lan service (ipls)
Gleeson et al. RFC2764: A framework for IP based virtual private networks
Pepelnjak Mpls And Vpn Architectures (Volume Ii)
Joseph et al. Network convergence: Ethernet applications and next generation packet transport architectures
Ibáñez et al. ABridges: Scalable, self-configuring Ethernet campus networks
Singh BGP MPLS based EVPN And its implementation and use cases
Barguil et al. RFC 9181: A Common YANG Data Model for Layer 2 and Layer 3 VPNs
Hernandez‐Valencia et al. Managed virtual private LAN services
Armitage et al. Network Working Group B. Gleeson Request for Comments: 2764 A. Lin Category: Informational Nortel Networks J. Heinanen Telia Finland
Le Faucheur et al. Internet Engineering Task Force (IETF) H. Shah Request for Comments: 7436 Cinea Corp. Category: Historic E. Rosen
Asadullah et al. RFC 4779: ISP IPv6 Deployment Scenarios in Broadband Access Networks
Palet CSC/FUNET

Legal Events

Date Code Title Description
AS Assignment

Owner name: ROCKSTAR CONSORTIUM US LP, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ROCKSTAR BIDCO, LP;REEL/FRAME:029811/0167

Effective date: 20120509

AS Assignment

Owner name: RPX CLEARINGHOUSE LLC, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ROCKSTAR CONSORTIUM US LP;ROCKSTAR CONSORTIUM LLC;BOCKSTAR TECHNOLOGIES LLC;AND OTHERS;REEL/FRAME:034924/0779

Effective date: 20150128

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION